Ayoi's

Well as Maybank has the largest (I assume) customer in Malaysia and most of them (including me) utilize the online services offered by this bank, of cause these customers will be the main target of phising attempt. Nowadays, the phisers not only want the identity and authentication to access the online portal account, but also the TAC (Transaction Authorization Code). So what are the functions of this TAC numbers? Based on the Maybank website

“TAC is not used for login but for specific transactions and types of activities. TAC will expire after 2 hours if you do not use it, upon request. Once it is activated, you may still use it for another 2 hours. You may perform several transactions with the same TAC” Now you know why the phisers really want the TAC number..

The email that I received. They never give up didn't they?

So like the email that I received previously (and yeah I’ve posted about it as well), the recent email is somehow like an upgraded version where it seems that the email was really sent from notify@maybank2u.com.my.  But like I mentioned in my previous post, I have this habit of looking into email headers when receiving emails that I deem from important parties just to make sure that the emails are really from them. So when I view the source of this particular email, the truth prevail

Received: from smtp3.datawareservices.com (smtp3.datawareservices.com [66.115.227.195])
by spaceymail-mx3.g.dreamhost.com (Postfix) with ESMTP id 58413188FC0
for <hazrul@hazrulnz.net>; Mon, 23 Feb 2009 20:20:08 -0800 (PST)
Received: from 78-141-15-22.rdns.as8401.net [78.141.15.22] by smtp3.datawareservices.com with SMTP;
Mon, 23 Feb 2009 22:16:54 -0600

OK, obviously the email WAS NOT sent from any authorized or valid Maybank’s SMTP servers and if we perform MX record search for maybank2u.com.my… There’s none. All Maybank related emails will be sent via their smtp servers xx.maybank.com.my. Just perform MX record lookup for maybank.com.my and you’ll know why. Btw I’ve received emails from maybank personnel regarding my portal account and that’s one of the ways how I know

A further search for this datawareservices.com and as expected the company behind the website (Dataware LLC) provide hosting services among others. Just visit http://www.datawareservices.com or you just can check the domain dossier at centralops.net.

OK. The sender of the email seems using this IP address 78.141.15.22 and further lookup resulting that this IP belongs to CRC-DSL, Cole Robert and Co Limited of Great Britain. Wahh… so far away eh for our own local bank Maybank need to hire a party from Great Britain just to send notification/warning email to us eh

So, like the one that I’ve posted before, this email also asked the user to submit their user ID, password and TAC number to one “verification and secured” server. This time the url points to http://www.systemsqwe.net/maybank2u/common/?MULogin.do?action ( You can click this link if you want to but you have to bear the consequence on your own.) But alas the page is not there anymore and you’ll be presented with the “The Account has been Suspended” page. Looking for the cache page also failed.

NetCraft warning on the suspicious site

"The Account Has Been Suspended" page

And yes, by looking at the email source as well, you can see there are two href for login. One point to cimbclicks.com (https://www.cimbclicks.com.my/wps/portal/!ut/p/c0/04_SB8K8xLLM9MSSzPy8xBz9QJ_89Mw8_YJ0RUUAk9OZqw!!/) and one to maybank2u (www.maybank2u.com.my/mbb/m2u/common/M2ULogin.do?action=Login).

Dude, next time make sure you “clean up” or “audit” your spam mail properly OK?

Comments RSS